Tenable One: Okta IdP

One of the most common IdPs used to configure SAML with Tenable One is Okta. The following steps guide you through the configuration process from start to finish.

Manual configuration requires the following:

  • Login URL: A custom URL provided by Tenable in the following format:

    https://cloud.tenable.com/saml/login/PLACEHOLDER
  • Audience URI (SP Entity ID): A custom ID provided by Tenable during SAML configuration in the following format:

    TENABLE_IO_PLACEHOLDER
  • A certificate within the SAML metadata object that matches the data originally sent to Tenable.

    Note: Tenable does not support the use of multiple certificates and only extracts the first certificate from the metadata object. If the object includes multiple certificates, you must specify which certificate to use if it is not the first one listed.

Okta: Create Initial Application Integration

To create an application integration in Okta:

  1. In your browser, navigate to the Okta Admin portal.

  2. In the left navigation menu, click Applications > Applications.

    The application window appears.

  3. Click Create App Integration.

    The Create a new app integration window appears.

  4. Select the SAML 2.0 radio button.

  5. Click Next.

    The General Settings options appear.

  6. In the App name text box, type a name for your application.

  7. (Optional) To add a custom logo for the application, in the App logo section, upload a .png, .jpeg, or .gif file.

  8. Click Next.

    The Configure SAML options appear.

  9. In the Single sign-on URL text box, type the following placeholder URL:

    https://cloud.tenable.com/saml/login/PLACEHOLDER
    Note: You will later replace PLACEHOLDER with a unique UUID for the SAML configuration. This link is case-sensitive.
  10. In the Audience URI (SP Identity ID) text box, type the following placeholder text:

    TENABLE_IO_PLACEHOLDER
    Note: You will later replace PLACEHOLDER with a unique UUID for the SAML configuration.
  11. In the Application username drop-down, select Email.

  12. Leave all other default settings. For reference:

    1. The Use this for Recipient URL and Destination URL check box is selected.

    2. The Default RelayState text box is blank.

    3. The Name ID format drop-down is set to Unspecified.

    4. The Update application username on drop-down is set to Create and update.

  13. Click Next.

    The Feedback options appear.

  14. (Optional) Provide any feedback you want to include.

  15. Click Finish.

    Okta saves your application configuration and the new application's Sign On settings page appears.

  16. Under SAML 2.0 > Metadata details > Metadata URL, click Copy.

  17. In a new browser tab, navigate to the copied URL.

    The application's metadata appears in XML format.

  18. In your browser, using the Save Page As option, save the resulting file as metadata.xml.

    Your browser downloads the metadata.xml file.

Tenable One SAML Configuration

Once you have downloaded your medata.xml file, you can use it to configure SAML in Tenable One. You can configure this directly in the Tenable Vulnerability Management application.

To set up the Tenable One SAML configuration:

  1. In your browser, navigate to Tenable One.
  2. On the Workspace page, click Tenable Vulnerability Management.

    The Tenable Vulnerability Management user interface appears.

  3. In the upper-left corner, click the button.

    The left navigation plane appears.

  4. In the left navigation plane, click Settings.

    The Settings page appears.

  5. Click the SAML tile.

    The SAML page appears.

  6. In the action bar, click Create.

    The SAML Settings page appears.

  7. Do one of the following:

  8. Click Save.

    Tenable Vulnerability Management saves your SAML configuration and you return to the SAML page.

  9. In the row for the SAML configuration you just created, click the button.

    An actions menu appears.

  10. Click Download SAML SP metadata.

    Your browser downloads the metadata.xml file. You can now use this file for final configuration in your IdP.

Optional: Configure One or More User Groups to Automatically Add a User upon SAML Login

User groups allow you to manage user permissions for various resources in Tenable One. When you assign users to a group, the users inherit the permissions assigned to the group. When you enable the Managed by SAML option for a user group, Tenable One allows you to automatically add any user that logs in via SAML to that group.

Important: For this option to work successfully, you must also configure the related group claim within your IdP. View the final IdP configuration steps for more information.

Before you begin:

Ensure you've enabled the Group Management Enabled toggle when configuring the SAML settings within Tenable One.

To enable the Managed by SAML option:

  1. In Tenable Vulnerability Management, in the upper-left corner, click the button.

    The left navigation plane appears.

  2. In the left navigation plane, click Settings.

    The Settings page appears.

  3. Click the Access Control tile.

    The Access Control page appears.

  4. Click the Groups tab.

    The Groups page appears.

  5. In the user groups table, click the user group to which you want to automatically add your SAML users.

    The Edit User Group page appears.

  6. In the General section, select the Managed by SAML check-box.

  7. Click Save. Tenable Vulnerability Management saves your changes. Once you configure the related claim within your IdP, any time a user logs in via your SAML configuration, Tenable One automatically adds them to the specified user group.

Okta: Configure Final Application Integration and Upload Metadata

Now that you have downloaded the completed metadata file, you can use that file to finalize the Tenable application configurations in Okta.

  1. In your browser, navigate to the Okta Admin portal.

  2. In the left navigation menu, click Applications > Applications.

    The Applications page appears.

  3. Select the application you previously created.

    The General page appears.

  4. In the SAML Settings section, click Edit.

    The General Settings page appears.

  5. Click Next.

    The Configure SAML options appear.

  6. In the Single sign-on URL text box, replace the previously submitted placeholder with the URL listed in the metadata.xml file that you downloaded from Tenable One.

    Tip: This URL is in the following format: https://cloud.tenable.com/saml/login/PLACEHOLDER.
  7. In the Audience URI (SP Identity ID) text box, replace the previously submitted placeholder with the ID listed in the metadata.xml file that you downloaded from Tenable One.

    Tip: This ID is in the following format: TENABLE_IO_PLACEHOLDER.
  8. Click Next.

    The Feedback options appear.

  9. Click Finish.

    Okta saves your changes to the application.

Assign Users and/or Groups to the Okta Application

To assign the application to your users or groups:

  1. In your browser, navigate to the Okta Admin portal.

  2. In the left navigation menu, click Applications > Applications.

    The Applications page appears.

  3. Select the application you previously created.

    The General page appears.

  4. Click the Assignments tab.

    The Assignments page appears.

  5. Click the Assign button and, in the drop-down, select one or both of the following:

    • Assign to People — Any assigned users will have access to this application within their Okta My Apps dashboard, and will be able to login to Tenable One.

    • Assign to Groups — Any users within assigned groups will have access to this application within their Okta My Apps dashboard, and will be able to login to Tenable One.

    Important: If you’ve opted to optionally Configure One or More User Groups to Automatically Add a User upon SAML Login, ensure any assigned group name in Okta matches the user group name within Tenable One. If the names do not match, the user and/or user group link will fail.

    An Assign window appears.

  6. Next to the user or group to which you want to assign the application, click Assign.

  7. Repeat for each user or group to which you want to assign the application.

  8. Click Done.

    Okta saves your changes, and your configuration is ready for use.

Optional: Finalize Configuration for Managed by SAML Group Option

If you enabled the Managed by SAML option to automatically add any user that logs in via SAML to a user group, then you must configure a related group claim within the Okta IdP.

To configure the IdP group claim:

  1. In your browser, navigate to the Okta Admin portal.

  2. In the left navigation menu, click Applications > Applications.

    The Applications page appears.

  3. Select the application you previously created.

    The General page appears.

  4. In the SAML Settings section, click Edit.

    The General Settings page appears.

  5. Click Next.

    The Configure SAML options appear.

  6. Do one of the following:

  7. Click Next.

    The Feedback options appear.

  8. Click Finish.

    Any time a user assigned to this Okta group name logs in via your SAML configuration, Tenable One automatically adds them to the specified matching user group within Tenable One.

Optional: Finalize Configuration for Managed by SAML Role Option

Roles allow you to manage privileges for major functions in Tenable One and control which Tenable One resources users can access.

If you enabled the IdP Assigns User Role at Provisioning and/or IdP Resets User Role at Each Login (to automatically add and/or assign any user that logs in via SAML to a user role) settings, then you must complete the following steps within Okta:

To configure the managed by SAML role option:

  1. In your browser, navigate to the Okta Admin portal.

  2. In the left navigation menu, click Applications > Applications.

    The Applications page appears.

  3. Select the application you previously created.

    The General page appears.

  4. In the SAML Settings section, click Edit.

    The General Settings page appears.

  5. Click Next.

    The Configure SAML options appear.

  6. Do one of the following:

    Any time a user assigned to the application logs in via your SAML configuration, Tenable One automatically adds them to the user role mapped to the Okta application, or, depending on your configuration, mapped to their Okta user profile.